Re: [Cerowrt-devel] 3.3.2-8 and firewall

[Dave Taht <dave.taht@gmail.com>]

On Thu, Apr 26, 2012 at 1:14 PM, Sebastian Moeller <moeller@caltech.edu> wrote:
> Hi Dave hi list,
>
> yesterday I upgraded to 3.3.2-8 (and did basic testing with the simple_qos.sh script, which worked okay). I have not gotten around to do proper testing of simple_qos script, but hope to do so over the next week (it will be pretty run of the mill 4M/30M cable so nothing exciting to expect). Today I tried to access the configuration interface on port 81 from my workplace (via IPv4) and was quite amazed this actually worked.

This should be blocked from the outside world, actually. It is quite
probable that the simple_qos script mucks with that. The mixture
of firewall and qos/aqm rules in iptables is very complex and hard to
deal with.

Worse, I have my own firewall rules system (not in cerowrt) that is
very permissive about what protocols can be run across ipv6 in
particular, and across the local and guest network (examples, hip,
sctp, igmp, ospf, ipsec, etc)

... but absolutely no way to wrap a gui around it.

Noted, logged, and will be fixed in the next build. I care a lot about
security. I would also like to make port 81 be https, too.

>In the past this never worked (and I think it would be safer a default if remote access to the configuration interface required an active decision from the user :) ). So, I went and created a custom rule to reject incoming connections on port 81 from wan (and now I can not reach the GUI from outside, I am quite curious whether I managed to wedge it for good or whether I will still be able to reach the GUI from the lag or guest section…).

It sounds like you did the right thing.

>Now there is the possibility that I have brought this issue on myself by using the vanilla QOS scheme instead of simple_qos in production, if so please let me know.

The openwrt qos system is obsolete in cerowrt (although I do plan to
improve it for openwrt), in favor of the ultimate replacement with the
'aqm' script, of which simple_qos is a test of, and exposed bug #360
with.

Core differences are htb rather than hfsc, much better use of sfqred,
and support for diffserv marking.

Regrettably we're still transitioning; I'd really hoped to have
something solid and fully integrated with the aqm stuff by now. I
stumble across things like basic integration with uci, and was
originally planning to write the whole thing in lua. I still may.


>
> best
>        Sebastian
>
>
> --
> Sebastian Moeller
>
> telephone: +1-626-325-8598 /+1-626-395-6523 / +1-626-395-6616
> fax: 626-395-8826
> German GSM:  +49 - 15 77 - 1 90 31 41
> mobile:         +1-626-325-8598
>                +1-626-807-5242
> US CDMA: +1-626-807-5242
> moeller@caltech.edu
>
> Division of Biology
> MC 114-96
> California Institute of Technology
> 1200 East California Boulevard
> CA 91125, Pasadena
> USA
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel



-- 
Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://www.bufferbloat.net